US9055107B2ActiveUtilityA1

Authentication delegation based on re-verification of cryptographic evidence

68
Assignee: MEDVINSKY GENNADYPriority: Dec 1, 2006Filed: Dec 1, 2006Granted: Jun 9, 2015
Est. expiryDec 1, 2026(~0.4 yrs left)· nominal 20-yr term from priority
H04L 9/3271H04L 29/06965H04L 9/3263H04L 9/3213H04L 2209/38G06F 2221/2115H04L 63/0823H04L 63/166G06F 21/33H04L 9/50H04L 63/0884H04L 63/0807H04L 2463/121
68
PatentIndex Score
5
Cited by
62
References
20
Claims

Abstract

The method of delegating authentication, within a chain of entities, relies upon a recording of at least a portion of a TLS handshake between a gateway device and user, in which the user needs access to a desired server. The method then relies upon re-verification of cryptographic evidence in the recorded portion of the TLS handshake, which is forwarded either (1) to the server to which access is desired, in which case the server re-verifies the recorded portion to confirm authentication, or, (2) to a third party entity, in which case the third party entity confirms authentication and provides credentials to the gateway server which then uses the credentials to authenticate to the server as the user.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. A method of authentication delegation between a client/user accessing a service provider through a gateway, the method comprising the steps of:
 performing a Transport Layer Security (TLS) handshake with client authentication between the client/user and the gateway, said TLS handshake with client authentication being defined by a protocol that specifies an exchange of a plurality of messages; 
 recording at least a sufficient portion of messages of the TLS handshake to indicate that the client/user is authenticated to the gateway, wherein said at least the sufficient portion includes messages specified in the protocol and all messages specified in the protocol up to and including a certificate verify message, wherein said at least the sufficient portion of the messages of the TLS handshake are exchanged between the client/user and the gateway; and 
 providing the recording of all messages up to and including the certificate verify message, from the gateway to the service provider, wherein all messages provided are digitally signed, 
 wherein access to the service provider is based on the at least the sufficient portion of the messages of the TLS handshake that are exchanged between the client/user and the gateway. 
 
     
     
       2. The method of  claim 1 , wherein the service provider is not involved in the authentication between the client/user and the gateway. 
     
     
       3. The method of  claim 1 , wherein said providing step provides the recording directly from the gateway to the service provider. 
     
     
       4. The method of  claim 1 , further comprising the step of embedding timestamp data in messages in the TLS handshake. 
     
     
       5. The method of  claim 4 , wherein the client/user embeds the timestamp data. 
     
     
       6. The method of  claim 4 , wherein the gateway embeds the timestamp data. 
     
     
       7. The method of  claim 1 , further comprising the step of embedding a nonce provided by the service provider in a message from the gateway to the client/user as part of the TLS handshake. 
     
     
       8. The method of  claim 1 , wherein the service provider maintains a memory of all received recordings and confirms that a same recording is not used more than once. 
     
     
       9. The method of  claim 1 , wherein the step of performing the TLS handshake further comprises:
 performing a first handshake without client authentication; and 
 upon successful completion of said performing a first handshake, performing a second handshake with client authentication. 
 
     
     
       10. The method of  claim 9 , wherein said second handshake between the client/user and gateway is encrypted by a session key derived from said first handshake. 
     
     
       11. The method of  claim 10 , wherein the recording provided to the service provider is unencrypted. 
     
     
       12. A system, comprising:
 at least one processor and at least one memory; 
 the at least one memory including instructions that when executed on the at least one processor perform actions including: 
 performing a Transport Layer Security (TLS) handshake with client authentication, the TLS handshake with client authentication being defined by a protocol that specifies an exchange of a plurality of messages; 
 recording at least a sufficient portion of messages of the TLS handshake to indicate authentication to a gateway, wherein the at least sufficient portion of messages includes messages specified in the protocol up to and including a certificate verify message, wherein the at least sufficient portion of the messages of the TLS handshake are exchanged between a user and the gateway; and 
 providing the recording of the at least sufficient portion of messages to a service provider, wherein all messages provided are digitally signed, 
 wherein access to the service provider is based on the at least sufficient portion of the messages. 
 
     
     
       13. The system of  claim 12 , wherein performing a TLS handshake further comprises:
 performing a first handshake without client authentication; and 
 upon successful completion of said performing a first handshake, performing a second handshake with client authentication. 
 
     
     
       14. The system of  claim 13 , wherein the second handshake is encrypted by a session key derived from said second handshake. 
     
     
       15. The system of  claim 12 , wherein timestamp data is embedded in at least one of the messages of the TLS handshake and the wherein access to the service provider is based on the timestamp data and the at least sufficient portion of the messages. 
     
     
       16. A machine-readable storage medium, not comprising a signal per se, storing herein at least one computer program that when executed performs actions comprising:
 performing a Transport Layer Security (TLS) handshake with client authentication, the TLS handshake with client authentication being defined by a protocol that specifies an exchange of a plurality of messages; 
 recording at least a sufficient portion of messages of the TLS handshake to indicate authentication to a gateway, wherein the at least sufficient portion of messages includes messages specified in the protocol up to and including a certificate verify message, wherein the at least sufficient portion of the messages of the TLS handshake are exchanged between a user and the gateway; and 
 providing the recording of the at least sufficient portion of messages to a service provider, wherein all messages provided are digitally signed, 
 wherein access to the service provider is based on the at least sufficient portion of the messages. 
 
     
     
       17. The machine-readable storage medium of  claim 16 , wherein the service provider re-verifies the validity of the TLS handshake in order to provide access. 
     
     
       18. The machine-readable storage medium of  claim 16 , wherein performing a TLS handshake further comprises:
 performing a first handshake without client authentication; and 
 upon successful completion of said performing a first handshake, performing a second handshake with client authentication. 
 
     
     
       19. The machine-readable storage medium of  claim 18 , wherein the second handshake is encrypted by a session key derived from said second handshake. 
     
     
       20. The machine-readable storage medium of  claim 16 , wherein timestamp data is embedded in at least one of the messages of the TLS handshake and the wherein access to the service provider is based on the timestamp data and the at least sufficient portion of the messages.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.